UNPKG

langsmith

Version:

Client library to connect to the LangSmith Observability and Evaluation Platform.

270 lines (269 loc) 12 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.DEFAULT_SECRET_RULES = exports.SECRET_PLACEHOLDER = void 0; exports.createAnonymizer = createAnonymizer; exports.createSecretAnonymizer = createSecretAnonymizer; function extractStringNodes(data, options) { const parsedOptions = { ...options, maxDepth: options.maxDepth ?? 10 }; const queue = [[data, 0, "", null, ""]]; let nextId = 0; const result = []; while (queue.length > 0) { const task = queue.shift(); if (task == null) continue; const [value, depth, path, parent, key] = task; if (typeof value === "string") { result.push({ value, path, parent: parent, key, _id: nextId++, }); } else if (Array.isArray(value)) { if (depth >= parsedOptions.maxDepth) continue; for (let i = 0; i < value.length; i++) { queue.push([ value[i], depth + 1, `${path}[${i}]`, value, String(i), ]); } } else if (typeof value === "object" && value != null) { if (depth >= parsedOptions.maxDepth) continue; for (const [k, nestedValue] of Object.entries(value)) { queue.push([ nestedValue, depth + 1, path ? `${path}.${k}` : k, value, k, ]); } } } return result; } function deepClone(data) { return JSON.parse(JSON.stringify(data)); } function createAnonymizer(replacer, options) { return (data) => { let mutateValue = deepClone(data); const nodes = extractStringNodes(mutateValue, { maxDepth: options?.maxDepth, }); const processor = Array.isArray(replacer) ? (() => { const replacers = replacer.map(({ pattern, type, replace }) => { if (type != null && type !== "pattern") throw new Error("Invalid anonymizer type"); return [ typeof pattern === "string" ? new RegExp(pattern, "g") : pattern, replace ?? "[redacted]", ]; }); if (replacers.length === 0) throw new Error("No replacers provided"); return { maskNodes: (nodes) => { return nodes.reduce((memo, item) => { const newValue = replacers.reduce((value, [regex, replace]) => { const result = value.replace(regex, replace); // make sure we reset the state of regex regex.lastIndex = 0; return result; }, item.value); if (newValue !== item.value) { memo.push({ ...item, value: newValue }); } return memo; }, []); }, }; })() : typeof replacer === "function" ? { maskNodes: (nodes) => nodes.reduce((memo, item) => { const newValue = replacer(item.value, item.path); if (newValue !== item.value) { memo.push({ ...item, value: newValue }); } return memo; }, []), } : replacer; // Build a lookup from _id to internal node for direct write-back. const nodesById = new Map(); for (const node of nodes) { nodesById.set(node._id, node); } const toUpdate = processor.maskNodes(nodes); for (const node of toUpdate) { if (node.path === "") { mutateValue = node.value; } else { // Match by _id if available (built-in replacers propagate it from // the input nodes), otherwise fall back to path matching. const asInternal = node; const internal = asInternal._id !== undefined ? nodesById.get(asInternal._id) : nodes.find((n) => n.path === node.path); if (internal) { internal.parent[internal.key] = node.value; } } } return mutateValue; }; } /** * Replacement token written in place of detected secrets by * {@link DEFAULT_SECRET_RULES} / {@link createSecretAnonymizer}. */ exports.SECRET_PLACEHOLDER = "[SECRET_DETECTED]"; /** * A curated, high-precision rule set for detecting common credentials in * traced data (prompts, tool inputs/outputs, file contents, shell commands). * * Designed to favor *low false positives* over exhaustive coverage: * - Provider rules are anchored to well-known key prefixes. * - Structural rules only fire when a sensitive *name* (api_key, token, * password, …) is paired with an assignment/separator, so ordinary code, * UUIDs, and hashes are left intact. * * This is NOT a port of gitleaks/secretlint; pattern shapes are drawn from * those projects (and provider docs) as a reference only. Every rule sets an * explicit `replace` because {@link createAnonymizer}'s default is * `[redacted]`, whereas the shared token here is {@link SECRET_PLACEHOLDER}. * * Patterns are written to port 1:1 to the Python SDK preset (no lookbehind). */ exports.DEFAULT_SECRET_RULES = [ // ── Provider API keys (prefix-anchored) ───────────────────────────────── // Anthropic { pattern: /sk-ant-[A-Za-z0-9_-]{20,}/g, replace: exports.SECRET_PLACEHOLDER }, // OpenAI: project / service-account / admin keys, then legacy `sk-...` { pattern: /sk-(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,}/g, replace: exports.SECRET_PLACEHOLDER, }, { pattern: /sk-[A-Za-z0-9]{32,}/g, replace: exports.SECRET_PLACEHOLDER }, // LangSmith (keys are multi-segment: lsv2_pt_<key>_<tail> — match the // full underscore-delimited tail so none of it leaks past the placeholder) { pattern: /lsv2_(?:pt|sk)_[A-Za-z0-9]{32,}(?:_[A-Za-z0-9]+)*/g, replace: exports.SECRET_PLACEHOLDER, }, { pattern: /ls__[A-Za-z0-9]{16,}/g, replace: exports.SECRET_PLACEHOLDER }, // GitHub personal access / app tokens { pattern: /gh[pousr]_[A-Za-z0-9]{36,}/g, replace: exports.SECRET_PLACEHOLDER }, { pattern: /github_pat_[A-Za-z0-9_]{82}/g, replace: exports.SECRET_PLACEHOLDER }, // GitLab personal access token { pattern: /glpat-[A-Za-z0-9_-]{20,}/g, replace: exports.SECRET_PLACEHOLDER }, // AWS access key id (covers AKIA/ASIA/ABIA/ACCA/A3T* prefixes) { pattern: /\b(?:AKIA|ASIA|ABIA|ACCA|A3T[A-Z0-9])[0-9A-Z]{16}\b/g, replace: exports.SECRET_PLACEHOLDER, }, // Google API key + OAuth access token { pattern: /AIza[0-9A-Za-z_-]{35}/g, replace: exports.SECRET_PLACEHOLDER }, { pattern: /ya29\.[0-9A-Za-z_-]+/g, replace: exports.SECRET_PLACEHOLDER }, // Slack tokens (bot/user + app-level) + incoming webhooks { pattern: /xox[baprs]-[A-Za-z0-9-]{10,}/g, replace: exports.SECRET_PLACEHOLDER }, { pattern: /xapp-\d-[A-Za-z0-9-]{10,}/g, replace: exports.SECRET_PLACEHOLDER }, { pattern: /https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9/]+/g, replace: exports.SECRET_PLACEHOLDER, }, // Stripe { pattern: /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{20,}\b/g, replace: exports.SECRET_PLACEHOLDER, }, // npm { pattern: /npm_[A-Za-z0-9]{36}/g, replace: exports.SECRET_PLACEHOLDER }, // PyPI upload token { pattern: /pypi-AgEIcHlwaS[A-Za-z0-9_-]{50,}/g, replace: exports.SECRET_PLACEHOLDER, }, // SendGrid { pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g, replace: exports.SECRET_PLACEHOLDER, }, // ── Structured tokens ──────────────────────────────────────────────────── // JWT (header.payload.signature) { pattern: /eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g, replace: exports.SECRET_PLACEHOLDER, }, // PEM private key blocks (RSA/EC/OPENSSH/DSA/plain + PGP "...KEY BLOCK") { pattern: /-----BEGIN (?:[A-Z0-9 ]+ )?PRIVATE KEY(?: BLOCK)?-----[\s\S]+?-----END (?:[A-Z0-9 ]+ )?PRIVATE KEY(?: BLOCK)?-----/g, replace: exports.SECRET_PLACEHOLDER, }, // ── Structural / contextual (sensitive NAME + assignment) ───────────────── // KEY=value or "key": "value" where the name looks sensitive. Keep the name // and separator ($1), redact the value. Notes: // - (?![A-Za-z0-9]) after the keyword requires a component boundary, so // `token` matches `api_token`/`mytoken` but NOT `tokenizer`/`tokens`. // - the value may start with an auth scheme word (Bearer/Token/Basic) so a // `X-Api-Key: Bearer <tok>` shape redacts the credential, not just "Bearer". // - value excludes & and ; so query-string params past the secret survive. // - requires a 6+ char value so short non-secret values are not touched. { pattern: /\b([A-Za-z0-9_.-]*(?:API[_-]?KEY|SECRET|TOKEN|PASSWORD|PASSWD|PRIVATE[_-]?KEY|ACCESS[_-]?KEY|AUTH[_-]?TOKEN|CLIENT[_-]?SECRET)(?![A-Za-z0-9])(?:[_.-][A-Za-z0-9]+)*["']?\s*[:=]\s*["']?)(?:(?:bearer|token|basic)\s+)?[^\s"'&;]{6,}/gi, replace: `$1${exports.SECRET_PLACEHOLDER}`, }, // Authorization / API-key headers. Keep the header name + separator ($1$2) // and an optional scheme ($3); redact the credential. { pattern: /\b(authorization|x-api-key|x-auth-token)(["']?\s*[:=]\s*["']?)(bearer\s+|token\s+|basic\s+)?[A-Za-z0-9._~+/-]{8,}=*/gi, replace: `$1$2$3${exports.SECRET_PLACEHOLDER}`, }, // Bare "Bearer <token>" (any case; the scheme word is preserved via $1). { pattern: /\b(Bearer\s+)[A-Za-z0-9._~+/-]{10,}=*/gi, replace: `$1${exports.SECRET_PLACEHOLDER}`, }, // Credentials embedded in URLs: proto://user:PASS@host -> redact PASS only. // Username is optional so proto://:PASS@host (empty user) is still covered. { pattern: /\b([a-z][a-z0-9+.-]*:\/\/[^:@/\s]*:)[^@/\s]+(@)/gi, replace: `$1${exports.SECRET_PLACEHOLDER}$2`, }, ]; /** * Build an anonymizer pre-loaded with {@link DEFAULT_SECRET_RULES} suitable for * passing to `new Client({ anonymizer })`. It redacts detected secrets from run * inputs, outputs, and metadata client-side, before they are uploaded. * * @param options.extraRules - Additional rules appended after the defaults. * @param options.maxDepth - Max recursion depth (default 24; higher than * `createAnonymizer`'s default of 10 because traced payloads nest deeply, * e.g. `messages[].content[].args`). * * @example * ```ts * import { Client } from "langsmith"; * import { createSecretAnonymizer } from "langsmith/anonymizer"; * * const client = new Client({ anonymizer: createSecretAnonymizer() }); * ``` */ function createSecretAnonymizer(options) { const rules = [...exports.DEFAULT_SECRET_RULES, ...(options?.extraRules ?? [])]; return createAnonymizer(rules, { maxDepth: options?.maxDepth ?? 24 }); }